Sponsored: Automate Office 365 User Licensing

Editor’s Note: This blog post is the fourth in a four-part blog series from Adaxes.

Azure Active Directory (AAD) is the identity management solution that powers Office 365, and just like on-premises Active Directory (AD), requires careful management to avoid security problems. But management and security are not the only concerns, and a common problem that organizations face is how to automate the assignment and revocation of Office 365 licenses.

Microsoft doesn’t provide a turnkey solution for managing Office 365 licenses through the full lifecycle, but there are ways to automate the assignment of licenses using PowerShell. If you need to ensure that users have the correct licenses assigned, and that they’re automatically revoked as users are deprovisioned, then look to a third-party solution, such as Softerra Adaxes.

PowerShell AAD Module

PowerShell can be used to create new users in the directory associated with your Office 365 tenant, and at the same time you can assign Office 365 licenses, or assign and remove licenses after the fact. Before you can use the cmdlets below, you’ll need to install the AAD PowerShell Module, which can be found here.

Use Connect-MsolService to log in to Office 365, and then run the Get-MsolAccountSku cmdlet to get a list of available licensing plans (AccountSkuId) and licenses accessible from your Office 365 subscription.

The New-MsolUser cmdlet can be used with the -LicenseAssignment parameter to assign licenses when a user is provisioned:

C# Automation Service

Microsoft provides details about how it manages Office 365 licensing in Automating licensing for Office 365 in a hybrid environment. It developed a C# automation service application that runs on Windows Server, and assigns licenses as new users are created in on-premises AD and synchronized to AAD.

Microsoft’s script uses the Graph API to return a list of users based on information provided in an XML config file. PowerShell is then used to create a list of users that have certain attributes, such as an email address in a specific format, and adds users to a group. The automation service then assigns licenses to users according to their group membership.

Softerra Adaxes

PowerShell and Microsoft’s automation service both require knowledge of scripting and C#, plus significant effort required to tailor these solutions for your organization’s needs. Implementing a service to manage Office 365 licenses will also require compute resources, and none of the solutions provide a means for revoking licenses.

Adaxes allows system administrators to assign Office 365 licenses automatically based on a set of conditions, such as AD attribute, and automatically removes licenses as users are deprovisioned. And because Adaxes is an integrated solution, modifications made to AD user accounts invoking condition-based automation rules to grant or revoke Office 365 licenses cause changes to Office 365 licenses to be made in real-time without having to wait for scripts to run. To complete the user provisioning process, Adaxes can also create Exchange Online mailboxes for users, and event-driven rules can be set up to configure mailbox features, such as enabling Unified Messaging, archiving, and setting storage limits.

Unlike the disparate management tools provided by Microsoft, Adaxes provides one management pane for managing AD and the additional features provided by Office 365, making management easier for Help Desk and IT staff. And web management consoles let employees keep their personal information up-to-date, and let IT staff work with a streamlined interface that can be customized with company branding, and features added or removed as required.

Role-Based Access Control (RBAC) can be used to grant users access to Office 365 management features based on the principle of least privilege. For example, managers can be given permission to approve license assignment requests without granting access to the entire tenant. It’s also worth mentioning that Adaxes supports management of multiple Office 365 tenants in one administrative environment. An Office 365 tenant can be associated with users in chosen OUs, groups, or one or more AD domains.

For more information about how to use Adaxes to automate Office 365 licensing, see Softerra’s website.

MEMBER LOGIN:

BECOME A PETRI MEMBER:

About the Contributor

Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine. Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.